Azure Policy

• Azure Policy
  • Azure Policy helps to enforce organizational standards and to assess compliance at-scale.
• Policies can be grouped together into Initiatives (aka policySets).
• Azure Policy Guest Configuration agent is the service that runs on a VM to audit and remediate configuration issues

• Require newly created resources to have certain tags.
• Disallow creation of certain resource types
• Constrain the regions where resources can be deployed
• Require virtual machines to be configured with encryption at rest for disk storage

Times or events when policies are evaluated:

• A resource is created or updated in a scope with a policy assignment.
• A policy or initiative is newly assigned to a scope.
• A policy or initiative already assigned to a scope is updated.
• During the standard compliance evaluation cycle, which occurs once every 24 hours.

Options for responding to compliance issues:

• Deny the resource change
• Log the change to the resource
• Alter the resource before the change
• Alter the resource after the change
• Deploy related compliant resources
• Block actions on resources

There is an order of precedence for the possible policy effects.

• https://learn.microsoft.com/en-us/azure/governance/policy/concepts/effect-basics#order-of-evaluation

• disable
• append and modify
• deny
• audit
• manual
• auditIfNotExists
• denyAction